UK Government DMARC Requirements: NCSC Mandate and How to Comply

The United Kingdom has been one of the strongest advocates for DMARC adoption worldwide. Through the National Cyber Security Centre (NCSC) and its Active Cyber Defence programme, the UK government mandates DMARC implementation across all public sector organisations. If your organisation operates under a .gov.uk domain or delivers public services, DMARC compliance is not optional — it is a baseline requirement.

This guide explains what the mandate requires, who must comply, and how to implement DMARC in line with NCSC expectations.

The NCSC DMARC Mandate

The requirement for DMARC across UK government stems from two key initiatives. The first is the Minimum Cyber Security Standard, published by the Cabinet Office, which sets the baseline security measures that all government departments and agencies must meet. Email authentication — specifically DMARC at an enforcement policy — is listed as a mandatory control.

The second is the NCSC's Active Cyber Defence (ACD) programme, launched in 2017. The ACD programme takes a proactive approach to reducing cyber harm at scale across the UK. DMARC is one of its cornerstone technologies, deployed to prevent attackers from spoofing government email domains to phish citizens, businesses, and other government bodies.

Together, these initiatives establish a clear expectation: every UK government organisation must publish a DMARC record with an enforcement policy and report compliance data to the NCSC.

What the Requirement Says

The mandate is specific about the expected configuration. UK government organisations must:

• Publish a DMARC record on every domain they control, including domains used for email and domains that should never send email
• Set the policy to p=reject, the strongest enforcement level, which instructs receiving mail servers to block messages that fail DMARC authentication entirely
• Configure aggregate reporting (rua) to send DMARC reports to the NCSC's Mail Check service, giving the NCSC visibility into compliance across the public sector
• Maintain valid SPF and DKIM records alongside DMARC, since DMARC depends on at least one of these mechanisms passing and aligning with the visible "From" domain

A p=none or p=quarantine policy is considered a stepping stone, not a compliant end state. The goal is full rejection of spoofed messages. For a detailed comparison of policy levels, see our guide on DMARC policy levels.

NCSC Mail Check

The NCSC provides Mail Check, a free service for UK public sector organisations that simplifies DMARC monitoring and compliance. Mail Check acts as both a reporting destination and a compliance dashboard.

When you point your DMARC aggregate reports to Mail Check, the service processes the raw XML reports and presents them in a readable format. You can see which IP addresses are sending email on behalf of your domain, whether those messages pass SPF and DKIM, and where authentication failures occur.

Mail Check also tracks your organisation's progress toward full DMARC enforcement. It highlights domains that are still at p=none or p=quarantine, identifies authentication gaps, and provides actionable guidance on resolving issues. For organisations managing dozens or hundreds of domains, this centralised view is invaluable.

Registration is available to any UK public sector organisation. Once enrolled, you add the NCSC's reporting address to your DMARC record's rua tag alongside any internal reporting addresses you use.

Who Must Comply

The mandate applies broadly across the UK public sector:

• Central government departments and ministerial offices
• Executive agencies and non-departmental public bodies
• Local authorities — county councils, district councils, metropolitan boroughs, and unitary authorities
• NHS trusts and Clinical Commissioning Groups
• Arms-length bodies and public corporations
• Police forces and emergency services
• Educational institutions operating under government funding or .gov.uk domains
• Any organisation that uses a .gov.uk domain or sub-domain for email communication

If your organisation receives government funding, delivers public services, or operates under a .gov.uk domain, you should assume the mandate applies to you. Even where compliance is not strictly enforced for a particular body, the NCSC strongly recommends adoption as a matter of good security practice.

Implementation Steps for UK Government Organisations

Moving to full DMARC enforcement requires a methodical approach. Rushing to p=reject without understanding your email ecosystem will break legitimate mail flows.

Extending Beyond .gov.uk Domains

Many public sector organisations communicate with citizens using domains outside the .gov.uk namespace. NHS trusts may use nhs.uk domains. Local authorities might use legacy domains or campaign-specific domains for public engagement. Some bodies use commercial domains for specific services.

The NCSC's guidance is clear: protect all domains used for public communication, not just those under .gov.uk. If citizens or businesses might receive email from a domain associated with your organisation, that domain needs DMARC at enforcement. Attackers do not limit their spoofing to .gov.uk addresses — they will exploit whichever domain is most recognisable and least protected.

Non-sending domains deserve attention as well. If your organisation owns a domain that does not send email, publish a DMARC record with p=reject and an empty SPF record (v=spf1 -all). This prevents attackers from spoofing a domain that has no legitimate sending infrastructure to confuse with.

The Broader Context: UK as a Global Leader

The UK's approach to mandatory DMARC adoption has been remarkably effective. Since the Active Cyber Defence programme launched, DMARC adoption across UK government has risen dramatically, and the volume of spoofed government email reaching citizens has dropped significantly. The NCSC has reported that millions of malicious emails impersonating government domains are blocked each month as a direct result of DMARC enforcement.

This success has not gone unnoticed internationally. Australia's Essential Eight framework includes email authentication requirements with similar expectations. The United States mandated DMARC for federal agencies through BOD 18-01. The European Union has been moving toward stronger email authentication standards across member states. Canada, the Netherlands, and Denmark have all introduced their own public sector DMARC requirements.

For UK public sector organisations, compliance is both a security obligation and a contribution to a broader national defence strategy. Every domain that reaches p=reject makes it harder for attackers to impersonate government bodies, protecting not just your organisation but the public's trust in government communications as a whole.

The standards set by the NCSC also influence expectations in the private sector. As DMARC enforcement requirements from major mailbox providers continue to tighten, organisations that have already achieved compliance through the government mandate are well positioned. The discipline of auditing sending sources, fixing authentication, and maintaining enforcement translates directly to better email deliverability and security across all contexts.

Monitor Your DMARC Record

You've configured your DMARC record — now make sure it keeps working. The Email Deliverability Suite watches your SPF, DKIM, DMARC, and MX records daily and alerts you when something breaks.